Feishu Voice
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the credentials are broad, the skill can use them to consume TTS service capacity and send Feishu bot messages within the app's permissions.
The skill requires Feishu app credentials and a Coze API key to obtain a tenant token, generate TTS, and send messages. This is purpose-aligned, but these are sensitive service credentials.
export FEISHU_APP_ID="cli_xxx" ... export FEISHU_APP_SECRET="your_secret" ... export COZE_API_KEY="your_coze_key"
Use a dedicated Feishu bot/app with the minimum required permissions and a limited Coze key; rotate or remove the credentials when no longer needed.
A mistaken invocation could send the wrong spoken message or send it to the wrong Feishu recipient.
After invocation, the script uploads audio and posts an audio message to Feishu. This matches the skill purpose, but it is a direct account-impacting action without an extra confirmation step.
SEND_RESPONSE=$(curl -s -X POST "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id" ... "msg_type": "audio")
Only invoke the skill when the intended text and recipient are clear; consider wrapping it with a confirmation step for sensitive chats.
The text being converted and the Coze credential flow depend on the installed coze-tts helper behaving as expected.
The script executes a separate coze-tts skill script located from the workspace or common paths. The dependency is disclosed, but its code/provenance is outside this skill package.
elif [ -n "$OPENCLAW_WORKSPACE" ] && [ -f "$OPENCLAW_WORKSPACE/skills/coze-tts/scripts/text_to_speech.sh" ]; then ... bash "$TTS_SCRIPT" "$TEXT"
Install coze-tts only from a trusted source and verify the workspace path so the intended helper script is executed.